search

dotnet / sdk

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI
https://dot.net/core
MIT License
2.75k stars 1.07k forks source link

Workloads: Better handling of package signature failures during install #24887

Open sandyarmstrong opened 2 years ago

sandyarmstrong commented 2 years ago

Requests

  1. If package signature validation fails, check for a properly signed version of the package in other specified feeds before aborting workload installation.
  2. If package signature validation fails, print the feed where the offending package is located to make debugging easier.
  3. Provide a way to disable package signature validation when during workload installation.

Background

I usually install the macos workload using a rollback file. I do something like this:

sudo dotnet workload install macos --source https://aka.ms/dotnet6/nuget/index.json --source https://api.nuget.org/v3/index.json --from-rollback-file rollback.json

rollback.json looks something like this:

{
  "microsoft.net.sdk.macos": "12.1.301-preview.13.4",
  "microsoft.net.workload.mono.toolchain": "6.0.2-mauipre.1.22102.15"
}

This works fine on macOS (which does not support package signature validation yet). On Windows, though, I very frequently run into errors like this:

Installing macos...

Updated advertising manifest microsoft.net.sdk.maui.
Updated advertising manifest microsoft.net.sdk.android.
Updated advertising manifest microsoft.net.sdk.macos.
Updated advertising manifest microsoft.net.sdk.ios.
Updated advertising manifest microsoft.net.workload.emscripten.
Updated advertising manifest microsoft.net.workload.mono.toolchain.
Updated advertising manifest microsoft.net.sdk.maccatalyst.
Updated advertising manifest microsoft.net.sdk.tvos.
Installing workload manifest microsoft.net.workload.mono.toolchain version 6.0.2-mauipre.1.22102.15…
Workload installation failed. Rolling back installed packs...
Installing workload manifest microsoft.net.workload.mono.toolchain version 6.0.2-mauipre.1.22102.15…
Installation rollback failed: Failed to install manifest microsoft.net.workload.mono.toolchain version 6.0.2-mauipre.1.22102.15: The transaction has aborted..
Workload installation failed: Failed to install manifest microsoft.net.workload.mono.toolchain version 6.0.2-mauipre.1.22102.15: Failed to validate package signing.

Verifying Microsoft.NET.Workload.Mono.ToolChain.Manifest-6.0.200.6.0.2-mauipre.1.22102.15

error: NU3004: The package is not signed.

Package signature validation failed.

I believe this occurs because there is a mix of signed and unsigned packages in the feeds I use (which I do not control, see https://github.com/dotnet/maui/wiki/macOS-Install). When I'm using fully released packages, it's typically enough to drop https://aka.ms/dotnet6/nuget/index.json and just use https://api.nuget.org/v3/index.json. But frequently I need to use prerelease workloads where packages are spread across multiple feeds that I do not control. When this happens, it feels impossible to install the workload on Windows.

So it would be nice if workload installation handled this scenario more gracefully. I would like to be able to disable package signature validation entirely. I would like more actionable error messages that let me know what feed is providing the unsigned package. And ideally, I'd like the package resolution during installation to be able to check other feeds for a properly signed package before giving up on the workload entirely.

baronfel commented 10 months ago

I believe our current guidance for local dev loop is using the --skip-sign-check option for install commands - this should help you skip the checks entirely. I'm not sure how much control we have over the feed selection - nuget without PackageSourceMapping is kind of a broad-swatch approach, and workload packs don't interact with PackageSourceMapping as of yet.